Traditional web services that are accessed by a web browser typically utilize hypertext markup language (HTML) and Javascript, which provide the capability to determine legitimate use of the web service, such as presenting Completely Automated Public Turing tests to tell Computers and Humans Apart (CAPTCHAs) and other challenge questions to the user. However, unlike traditional web services, wireless communication devices often employ mobile applications to communicate with web servers. Mobile applications typically pull data down from web servers for display to the user, and also allow the user to modify the data and submit it back to the server.
Mobile applications commonly utilize mobile application programming interfaces (APIs) to communicate with external web services and provide their functionality to the user. The communication between native mobile applications and mobile APIs on the web servers is typically done using JavaScript Object Notation (JSON), Extensible Markup Language (XML), and other protocols that do not employ security techniques but are simply used to provide an exchange of data between the client and server. Thus, the core application communication between the mobile application and the web service utilizes a mobile API with no security in place to validate the legitimacy of the request. In addition, various kinds of toolkits and software may be used to automate user interactions on mobile devices. Unfortunately, these automation techniques may be exploited by malicious users to launch various security attacks on the web service.
Overview
A method of operating a communication system to facilitate detection of real user interaction with mobile applications is disclosed. The method comprises, in a wireless communication device, executing a mobile application that generates a web service request and executing a client security component of the mobile application to include user behavior attributes in the web service request. The method further comprises, in the wireless communication device, utilizing a mobile application programming interface (API) to transfer the web service request including the user behavior attributes for delivery to a web server. The method further comprises, in the web server, executing a server security component of a web service to extract the user behavior attributes from the web service request and process the user behavior attributes to determine whether or not the mobile application is being operated by a human user.
This Overview is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. It may be understood that this Overview is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.